- Defender Tenant ID
- Application ID
- Scope
- Client Secret
- Alert.Read.All
- Machine.Isolate
- Machine.StopandQuarantine
- Ti.ReadWrite.All
- Machine.Read.All
- Machine.Scan
- SecurityAlert.Read.All
- SecurityIncident.Read.All
BlueApp for Microsoft Defender ATP Configurations
To set up the BlueApp for Microsoft Defender ATP, you first need to create an Azure Active Directory (Azure AD) application and record your Tenant ID, Application ID, Scope, and Client Secret during that process. To enable the BlueApp for Microsoft Defender ATP- In USM Anywhere, go to Data Sources > BlueApps.
- Click the Available Apps tab.
- Search for the BlueApp, and then click the tile.
- Click Configure API.
- If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled BlueApp. BlueApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the BlueApp API endpoints.
- 
Enter the following items:
- Application ID
- Tenant ID
- Scope
- Client Secret
 
- Click Save.
- 
Verify the connection.
After USM Anywhere completes a successful connection to the Microsoft Defender ATP APIs, a icon displays in the Health column. If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Microsoft Defender ATP connection. 
Collect Logs from Microsoft Defender ATP
There are two ways to collect logs from Microsoft Defender ATP:- Through the Microsoft Defender for Endpoints API
- From Azure Event Hubs.
Important: Do not configure both methods because it will create duplicate events.
The API Method
For the API method, since you’ve already connected to the API when configuring the BlueApp for Microsoft Defender ATP, the remaining task is to enable the log collection scheduler job in USM Anywhere. To collect logs using the API- In the USM Anywhere main menu, go to Settings > Scheduler and search for the collection job for the BlueApp.
- Enable the job if it is not already enabled. To customize the log collection rate, click the edit icon and set the desired interval for log collection.
The Azure Event Hubs Method
If you want to use Azure Event Hubs instead, you must first stream the logs from Microsoft Defender ATP to Azure Event Hubs, and then enable the Event Hubs log collection on your Azure Sensor. To stream logs from Azure Event Hubs- Log in to the Azure portal.
- Create an event hub. See Microsoft Azure Quickstart: Create an event hub using Azure portal for instructions.
- Go to the event hub you just created and click Shared access policies in the sidebar.
- Create or edit a policy, and then select Manage, Send, and Listen. Streaming to Event Hubs requires these permissions.
- Copy the connection string listed in the policy under Connection string-primary key. You need to enter this string when configuring the Event Hubs connection in USM Anywhere.
- 
Configure streaming for Microsoft Defender ATP logs. See Configure Microsoft Defender ATP to stream Advanced Hunting events to your Azure Event Hubs for instructions from Microsoft.
Note: Make sure to enable Stream to an event hub and select the Event Hub you just created as the destination.
- Go to Data Sources > Sensors and open the Azure Sensor.
- Click the Configurations tab.
- 
Complete the three fields:
- Event Hub Name: The name of the event hub created during initial setup.
- Event Hub Connection String: A string containing unique configuration data about your Azure Event Hubs implementation. This string was discovered during the previous procedure.
- Event Hub Consumer Group: The name of your Event Hubs consumer group. You can locate this name by opening your Event Hubs overview in the Azure portal and scrolling to the bottom of the page.
 
- (Optional) Select **Process generic events? **to collect events for which USM Anywhere currently does not have a parser. These events will display as “GENERIC event” under Activity > Events.
- Click Save.
- Click the Event Hub tab to check the connection status and the number of events processed by each data source.